Lucene search

GitHub Advisory DatabaseGHSA-5CGX-VHFP-6CF9

HistoryFeb 15, 2022 - 1:57 a.m.

Directory traversal in Kubernetes Secrets Store CSI Driver

2022-02-1501:57:18

CWE-20

CWE-22

CWE-24

GitHub Advisory Database

github.com

kubernetes

secrets store csi driver

directory traversal

v0.0.15

v0.0.16

attacker

host filesystem

sync content

go packages

controllers

rotation

software

CVSS2

4.9

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:S/C:P/I:P/A:N

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N

EPSS

0.001

Percentile

37.3%

JSON

Kubernetes Secrets Store CSI Driver versions v0.0.15 and v0.0.16 allow an attacker who can modify a SecretProviderClassPodStatus/Status resource the ability to write content to the host filesystem and sync file contents to Kubernetes Secrets. This includes paths under var/lib/kubelet/pods that contain other Kubernetes Secrets.

Specific Go Packages Affected

sigs.k8s.io/secrets-store-csi-driver/controllers
sigs.k8s.io/secrets-store-csi-driver/pkg/rotation
sigs.k8s.io/secrets-store-csi-driver/pkg/secrets-store

Affected configurations

Vulners

Node

sigs.k8s.iosecrets-store-csi-driverRange<0.0.17

VendorProductVersionCPE
sigs.k8s.iosecrets-store-csi-driver*cpe:2.3:a:sigs.k8s.io:secrets-store-csi-driver:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
sigs.k8s.io	secrets-store-csi-driver	*	cpe:2.3:a:sigs.k8s.io:secrets-store-csi-driver::::::::

References

github.com/advisories/GHSA-5cgx-vhfp-6cf9

github.com/kubernetes-sigs/secrets-store-csi-driver/commit/c2cbb19e2eef16638fa0523383788a4bc22231fd

github.com/kubernetes-sigs/secrets-store-csi-driver/issues/378

github.com/kubernetes-sigs/secrets-store-csi-driver/pull/371

groups.google.com/g/kubernetes-secrets-store-csi-driver/c/Cb9cvymTzl4

nvd.nist.gov/vuln/detail/CVE-2020-8568

pkg.go.dev/vuln/GO-2022-0629

CVSS2

4.9

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:S/C:P/I:P/A:N

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N

EPSS

0.001

Percentile

37.3%

JSON

Related for GHSA-5CGX-VHFP-6CF9